Two flaws were fixed in the recently-released MediaWiki 1.21.3, 1.20.8, and 1.19.9 releases: * Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 * Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 References: https://bugs.gentoo.org/show_bug.cgi?id=491278 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729629
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1030989] Affects: epel-5 [bug 1030991]
Created mediawiki119 tracking bugs for this issue: Affects: fedora-18 [bug 1030990] Affects: epel-6 [bug 1030993]
mediawiki-1.19.9-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki119-1.19.9-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.